Re: relayd and TLS client cert verification
On 21/02/18 01:02:p, Theo Buehler wrote: > This looks pretty good to me and appears to work in basic testing. > I'd be willing to get this in provided you address the tiny nits > below. Thanks for having a look. Unfortunately I no longer have the time to maintain this patchset, nor do I maintain a system running relayd any more. I believe there are some others looking to make it happen. Best, Asherah
Re: relayd and TLS client cert verification
Hi
On Thu, Oct 15, 2020 at 05:52:40PM +1100, Ashe Connor wrote:
> Hi there,
>
> A year or two ago I submitted a patch for adding TLS client certificate
> validation to relayd. At the time it didn't make it in, and I stopped
> pursuing it further.
> (https://marc.info/?l=openbsd-tech=154509330608643=2)
>
> I'd still like to see this landed, if at all possible. I'm continuing to use
> this feature on my own personal websites, and it works well.
This looks pretty good to me and appears to work in basic testing. I'd
be willing to get this in provided you address the tiny nits below.
The diff in its current form applies with a little bit of fuzz, it would
be nice if you could rebase it on top of -current.
>
> The latest diff is attached, or can be viewed online here:
> https://github.com/openbsd/src/compare/master...kivikakk:relayd-client-verification.patch
>
> I've added a test that confirms client failure to connect without a
> certificate at regress/usr.sbin/relayd/args-ssl-client-verify-fail.pl -- it's
> a bit awkward. Let me know if I can redo it better.
The problem with this is that it will make the relayd regress fail:
run-args-ssl-client-verify-fail.pl
time SUDO= KTRACE= RELAYD= perl -I/usr/src/regress/usr.sbin/relayd
/usr/src/regress/usr.sbin/relayd/relayd.pl copy
/usr/src/regress/usr.sbin/relayd/args-ssl-client-verify-fail.pl
Client no 'connect attempt failed' in client.log after 30 seconds at
/usr/src/regress/usr.sbin/relayd/relayd.pl line 84.
*** Error 255 in . (Makefile:65 'run-args-ssl-client-verify-fail.pl')
FAILED
This will need to be done in such a way that the test passes. I don't
really understand this perl contraption, so I can't really give advice
on this.
>
> Best,
>
> Ashe
>
> ---
>
> From c63bca7ba7889b43e0a9317e807499eb8ca0db55 Mon Sep 17 00:00:00 2001
> From: Asherah Connor
> Date: Thu, 15 Oct 2020 17:23:15 +1100
> Subject: [PATCH] TLS client certificate validation
>
> ---
> regress/usr.sbin/relayd/Client.pm | 13 ++
> regress/usr.sbin/relayd/Makefile | 18 -
> regress/usr.sbin/relayd/Relayd.pm | 3 +++
> .../relayd/args-ssl-client-verify-fail.pl | 25 +++
> .../usr.sbin/relayd/args-ssl-client-verify.pl | 19 ++
> usr.sbin/relayd/config.c | 21
> usr.sbin/relayd/parse.y | 15 ++-
> usr.sbin/relayd/relay.c | 21
> usr.sbin/relayd/relayd.c | 9 +++
> usr.sbin/relayd/relayd.conf.5 | 4 +++
> usr.sbin/relayd/relayd.h | 14 +++
> 11 files changed, 155 insertions(+), 7 deletions(-)
> create mode 100644 regress/usr.sbin/relayd/args-ssl-client-verify-fail.pl
> create mode 100644 regress/usr.sbin/relayd/args-ssl-client-verify.pl
>
> diff --git a/regress/usr.sbin/relayd/Client.pm
> b/regress/usr.sbin/relayd/Client.pm
> index b3e011de13d..ec6fa64274e 100644
> --- a/regress/usr.sbin/relayd/Client.pm
> +++ b/regress/usr.sbin/relayd/Client.pm
> @@ -57,6 +57,11 @@ sub child {
> PeerAddr=> $self->{connectaddr},
> PeerPort=> $self->{connectport},
> SSL_verify_mode => SSL_VERIFY_NONE,
> + SSL_use_cert=> $self->{offertlscert} ? 1 : 0,
> + SSL_cert_file => $self->{offertlscert} ?
> +"client.crt" : "",
> + SSL_key_file=> $self->{offertlscert} ?
> +"client.key" : "",
> ) or die ref($self), " $iosocket socket connect failed: $!,$SSL_ERROR";
> if ($self->{sndbuf}) {
> setsockopt($cs, SOL_SOCKET, SO_SNDBUF,
> @@ -86,6 +91,14 @@ sub child {
> print STDERR "ssl cipher: ",$cs->get_cipher(),"\n";
> print STDERR "ssl peer certificate:\n",
> $cs->dump_peer_certificate();
> +
> + if ($self->{offertlscert}) {
> + print STDERR "ssl client certificate:\n";
> + print STDERR "Subject Name: ",
> + "${\$cs->sock_certificate('subject')}\n";
> + print STDERR "Issuer Name: ",
> + "${\$cs->sock_certificate('issuer')}\n";
> + }
> }
>
> *STDIN = *STDOUT = $self->{cs} = $cs;
> diff --git a/regress/usr.sbin/relayd/Makefile
> b/regress/usr.sbin/relayd/Makefile
> index cd01aa3fb63..f2198f43cc9 100644
> --- a/regress/usr.sbin/relayd/Makefile
> +++ b/regress/usr.sbin/relayd/Makefile
> @@ -96,7 +96,23 @@ server.req:
> server.crt: ca.crt server.req
> openssl x509 -CAcreateserial -CAkey ca.key -CA ca.crt -req -in
> server.req -out server.crt
>
> -${REGRESS_TARGETS:M*ssl*} ${REGRESS_TARGETS:M*https*}: server.crt
> +client-ca.crt:
> + openssl req -batch -new \
> + -subj
Re: relayd and TLS client cert verification
Hi! > I have patch on top of this which allows to pass remote certificate > and/or parts of it to backend hosts via http headers. Did this patch ever arrive and would it also make sense inside httpd (in addition to relayd)? -- Markus Läll
Re: relayd and TLS client cert verification
Hi again,
Checking in again to see if there's any appetite for this.
Best,
Ashe
On Thu, Oct 15, 2020, at 5:52 PM, Ashe Connor wrote:
> Hi there,
>
> A year or two ago I submitted a patch for adding TLS client certificate
> validation to relayd. At the time it didn't make it in, and I stopped
> pursuing it further.
> (https://marc.info/?l=openbsd-tech=154509330608643=2)
>
> I'd still like to see this landed, if at all possible. I'm continuing to use
> this feature on my own personal websites, and it works well.
>
> The latest diff is attached, or can be viewed online here:
> https://github.com/openbsd/src/compare/master...kivikakk:relayd-client-verification.patch
>
> I've added a test that confirms client failure to connect without a
> certificate at regress/usr.sbin/relayd/args-ssl-client-verify-fail.pl -- it's
> a bit awkward. Let me know if I can redo it better.
>
> Best,
>
> Ashe
>
> ---
>
> From c63bca7ba7889b43e0a9317e807499eb8ca0db55 Mon Sep 17 00:00:00 2001
> From: Asherah Connor
> Date: Thu, 15 Oct 2020 17:23:15 +1100
> Subject: [PATCH] TLS client certificate validation
>
> ---
> regress/usr.sbin/relayd/Client.pm | 13 ++
> regress/usr.sbin/relayd/Makefile | 18 -
> regress/usr.sbin/relayd/Relayd.pm | 3 +++
> .../relayd/args-ssl-client-verify-fail.pl | 25 +++
> .../usr.sbin/relayd/args-ssl-client-verify.pl | 19 ++
> usr.sbin/relayd/config.c | 21
> usr.sbin/relayd/parse.y | 15 ++-
> usr.sbin/relayd/relay.c | 21
> usr.sbin/relayd/relayd.c | 9 +++
> usr.sbin/relayd/relayd.conf.5 | 4 +++
> usr.sbin/relayd/relayd.h | 14 +++
> 11 files changed, 155 insertions(+), 7 deletions(-)
> create mode 100644 regress/usr.sbin/relayd/args-ssl-client-verify-fail.pl
> create mode 100644 regress/usr.sbin/relayd/args-ssl-client-verify.pl
>
> diff --git a/regress/usr.sbin/relayd/Client.pm
> b/regress/usr.sbin/relayd/Client.pm
> index b3e011de13d..ec6fa64274e 100644
> --- a/regress/usr.sbin/relayd/Client.pm
> +++ b/regress/usr.sbin/relayd/Client.pm
> @@ -57,6 +57,11 @@ sub child {
> PeerAddr => $self->{connectaddr},
> PeerPort => $self->{connectport},
> SSL_verify_mode => SSL_VERIFY_NONE,
> + SSL_use_cert => $self->{offertlscert} ? 1 : 0,
> + SSL_cert_file => $self->{offertlscert} ?
> +"client.crt" : "",
> + SSL_key_file => $self->{offertlscert} ?
> +"client.key" : "",
> ) or die ref($self), " $iosocket socket connect failed: $!,$SSL_ERROR";
> if ($self->{sndbuf}) {
> setsockopt($cs, SOL_SOCKET, SO_SNDBUF,
> @@ -86,6 +91,14 @@ sub child {
> print STDERR "ssl cipher: ",$cs->get_cipher(),"\n";
> print STDERR "ssl peer certificate:\n",
> $cs->dump_peer_certificate();
> +
> + if ($self->{offertlscert}) {
> + print STDERR "ssl client certificate:\n";
> + print STDERR "Subject Name: ",
> + "${\$cs->sock_certificate('subject')}\n";
> + print STDERR "Issuer Name: ",
> + "${\$cs->sock_certificate('issuer')}\n";
> + }
> }
>
> *STDIN = *STDOUT = $self->{cs} = $cs;
> diff --git a/regress/usr.sbin/relayd/Makefile
> b/regress/usr.sbin/relayd/Makefile
> index cd01aa3fb63..f2198f43cc9 100644
> --- a/regress/usr.sbin/relayd/Makefile
> +++ b/regress/usr.sbin/relayd/Makefile
> @@ -96,7 +96,23 @@ server.req:
> server.crt: ca.crt server.req
> openssl x509 -CAcreateserial -CAkey ca.key -CA ca.crt -req -in server.req
> -out server.crt
>
> -${REGRESS_TARGETS:M*ssl*} ${REGRESS_TARGETS:M*https*}: server.crt
> +client-ca.crt:
> + openssl req -batch -new \
> + -subj /L=OpenBSD/O=relayd-regress/OU=client-ca/CN=root/ \
> + -nodes -newkey rsa -keyout client-ca.key -x509 \
> + -out client-ca.crt
> +
> +client.req:
> + openssl req -batch -new \
> + -subj /L=OpenBSD/O=relayd-regress/OU=client/CN=localhost/ \
> + -nodes -newkey rsa -keyout client.key \
> + -out client.req
> +
> +client.crt: client-ca.crt client.req
> + openssl x509 -CAcreateserial -CAkey client-ca.key -CA client-ca.crt \
> + -req -in client.req -out client.crt
> +
> +${REGRESS_TARGETS:M*ssl*} ${REGRESS_TARGETS:M*https*}: server.crt client.crt
> .if empty (REMOTE_SSH)
> ${REGRESS_TARGETS:M*ssl*} ${REGRESS_TARGETS:M*https*}: 127.0.0.1.crt
> .else
> diff --git a/regress/usr.sbin/relayd/Relayd.pm
> b/regress/usr.sbin/relayd/Relayd.pm
> index 98f2ada5db9..896c0b401be 100644
> --- a/regress/usr.sbin/relayd/Relayd.pm
> +++ b/regress/usr.sbin/relayd/Relayd.pm
> @@ -84,6 +84,9 @@ sub new {
> print $fh "\n\ttls ca cert ca.crt";
> print $fh "\n\ttls ca key ca.key password ''";
> }
> + if ($self->{verifyclient}) {
> + print $fh "\n\ttls client ca client-ca.crt";
> + }
> # substitute variables in config file
> foreach (@protocol) {
> s/(\$[a-z]+)/$1/eeg;
> diff --git
relayd and TLS client cert verification
Hi there,
A year or two ago I submitted a patch for adding TLS client certificate
validation to relayd. At the time it didn't make it in, and I stopped pursuing
it further. (https://marc.info/?l=openbsd-tech=154509330608643=2)
I'd still like to see this landed, if at all possible. I'm continuing to use
this feature on my own personal websites, and it works well.
The latest diff is attached, or can be viewed online here:
https://github.com/openbsd/src/compare/master...kivikakk:relayd-client-verification.patch
I've added a test that confirms client failure to connect without a certificate
at regress/usr.sbin/relayd/args-ssl-client-verify-fail.pl -- it's a bit
awkward. Let me know if I can redo it better.
Best,
Ashe
---
>From c63bca7ba7889b43e0a9317e807499eb8ca0db55 Mon Sep 17 00:00:00 2001
From: Asherah Connor
Date: Thu, 15 Oct 2020 17:23:15 +1100
Subject: [PATCH] TLS client certificate validation
---
regress/usr.sbin/relayd/Client.pm | 13 ++
regress/usr.sbin/relayd/Makefile | 18 -
regress/usr.sbin/relayd/Relayd.pm | 3 +++
.../relayd/args-ssl-client-verify-fail.pl | 25 +++
.../usr.sbin/relayd/args-ssl-client-verify.pl | 19 ++
usr.sbin/relayd/config.c | 21
usr.sbin/relayd/parse.y | 15 ++-
usr.sbin/relayd/relay.c | 21
usr.sbin/relayd/relayd.c | 9 +++
usr.sbin/relayd/relayd.conf.5 | 4 +++
usr.sbin/relayd/relayd.h | 14 +++
11 files changed, 155 insertions(+), 7 deletions(-)
create mode 100644 regress/usr.sbin/relayd/args-ssl-client-verify-fail.pl
create mode 100644 regress/usr.sbin/relayd/args-ssl-client-verify.pl
diff --git a/regress/usr.sbin/relayd/Client.pm
b/regress/usr.sbin/relayd/Client.pm
index b3e011de13d..ec6fa64274e 100644
--- a/regress/usr.sbin/relayd/Client.pm
+++ b/regress/usr.sbin/relayd/Client.pm
@@ -57,6 +57,11 @@ sub child {
PeerAddr=> $self->{connectaddr},
PeerPort=> $self->{connectport},
SSL_verify_mode => SSL_VERIFY_NONE,
+ SSL_use_cert=> $self->{offertlscert} ? 1 : 0,
+ SSL_cert_file => $self->{offertlscert} ?
+ "client.crt" : "",
+ SSL_key_file=> $self->{offertlscert} ?
+ "client.key" : "",
) or die ref($self), " $iosocket socket connect failed: $!,$SSL_ERROR";
if ($self->{sndbuf}) {
setsockopt($cs, SOL_SOCKET, SO_SNDBUF,
@@ -86,6 +91,14 @@ sub child {
print STDERR "ssl cipher: ",$cs->get_cipher(),"\n";
print STDERR "ssl peer certificate:\n",
$cs->dump_peer_certificate();
+
+ if ($self->{offertlscert}) {
+ print STDERR "ssl client certificate:\n";
+ print STDERR "Subject Name: ",
+ "${\$cs->sock_certificate('subject')}\n";
+ print STDERR "Issuer Name: ",
+ "${\$cs->sock_certificate('issuer')}\n";
+ }
}
*STDIN = *STDOUT = $self->{cs} = $cs;
diff --git a/regress/usr.sbin/relayd/Makefile b/regress/usr.sbin/relayd/Makefile
index cd01aa3fb63..f2198f43cc9 100644
--- a/regress/usr.sbin/relayd/Makefile
+++ b/regress/usr.sbin/relayd/Makefile
@@ -96,7 +96,23 @@ server.req:
server.crt: ca.crt server.req
openssl x509 -CAcreateserial -CAkey ca.key -CA ca.crt -req -in
server.req -out server.crt
-${REGRESS_TARGETS:M*ssl*} ${REGRESS_TARGETS:M*https*}: server.crt
+client-ca.crt:
+ openssl req -batch -new \
+ -subj /L=OpenBSD/O=relayd-regress/OU=client-ca/CN=root/ \
+ -nodes -newkey rsa -keyout client-ca.key -x509 \
+ -out client-ca.crt
+
+client.req:
+ openssl req -batch -new \
+ -subj /L=OpenBSD/O=relayd-regress/OU=client/CN=localhost/ \
+ -nodes -newkey rsa -keyout client.key \
+ -out client.req
+
+client.crt: client-ca.crt client.req
+ openssl x509 -CAcreateserial -CAkey client-ca.key -CA client-ca.crt \
+ -req -in client.req -out client.crt
+
+${REGRESS_TARGETS:M*ssl*} ${REGRESS_TARGETS:M*https*}: server.crt client.crt
.if empty (REMOTE_SSH)
${REGRESS_TARGETS:M*ssl*} ${REGRESS_TARGETS:M*https*}: 127.0.0.1.crt
.else
diff --git a/regress/usr.sbin/relayd/Relayd.pm
b/regress/usr.sbin/relayd/Relayd.pm
index 98f2ada5db9..896c0b401be 100644
--- a/regress/usr.sbin/relayd/Relayd.pm
+++ b/regress/usr.sbin/relayd/Relayd.pm
@@ -84,6 +84,9 @@ sub new {
print $fh "\n\ttls ca cert ca.crt";
print $fh "\n\ttls ca key ca.key password ''";
}
+ if ($self->{verifyclient}) {
+ print $fh "\n\ttls
Re: relayd and TLS client cert verification
On 18 Dec 2018, at 11:34, Ashe Connor wrote: > Revised patch follows (includes mandoc changes). Last bump. Happy new year!
Re: relayd and TLS client cert verification
On Fri, Dec 14, 2018 at 10:58:06AM +0100, Sebastian Benoit wrote:
> The parse and config bits look good.
>
> And the use of tls* looks ok to me too, but I would like to have someone
> more familiar with it to give an ok though.
Sounds good.
> As for style, please make lines not longer than 80 chars.
Thanks for the pick up, I'll be sure to keep that in mind in future.
Revised patch follows (includes mandoc changes).
Index: usr.sbin/relayd/config.c
===
RCS file: /home/kivikakk/cvsync/root/src/usr.sbin/relayd/config.c,v
retrieving revision 1.36
retrieving revision 1.36.8.1
diff -u -p -u -r1.36 -r1.36.8.1
--- usr.sbin/relayd/config.c29 Nov 2017 15:24:50 - 1.36
+++ usr.sbin/relayd/config.c30 Nov 2018 21:10:06 - 1.36.8.1
@@ -900,6 +900,15 @@ config_setrelay(struct relayd *env, stru
rlay->rl_conf.name);
return (-1);
}
+ if (rlay->rl_tls_client_ca_fd != -1 &&
+ config_setrelayfd(ps, id, n,
+ rlay->rl_conf.id, RELAY_FD_CLIENTCACERT,
+ rlay->rl_tls_client_ca_fd) == -1) {
+ log_warn("%s: fd passing failed for "
+ "`%s'", __func__,
+ rlay->rl_conf.name);
+ return (-1);
+ }
/* Prevent fd exhaustion in the parent. */
if (proc_flush_imsg(ps, id, n) == -1) {
log_warn("%s: failed to flush "
@@ -945,6 +954,10 @@ config_setrelay(struct relayd *env, stru
close(rlay->rl_tls_ca_fd);
rlay->rl_tls_ca_fd = -1;
}
+ if (rlay->rl_tls_client_ca_fd != -1) {
+ close(rlay->rl_tls_client_ca_fd);
+ rlay->rl_tls_client_ca_fd = -1;
+ }
return (0);
}
@@ -968,6 +981,7 @@ config_getrelay(struct relayd *env, stru
rlay->rl_tls_cert_fd = -1;
rlay->rl_tls_ca_fd = -1;
rlay->rl_tls_cacert_fd = -1;
+ rlay->rl_tls_client_ca_fd = -1;
if (ps->ps_what[privsep_process] & CONFIG_PROTOS) {
if (rlay->rl_conf.proto == EMPTY_ID)
@@ -1084,6 +1098,9 @@ config_getrelayfd(struct relayd *env, st
break;
case RELAY_FD_CAFILE:
rlay->rl_tls_cacert_fd = imsg->fd;
+ break;
+ case RELAY_FD_CLIENTCACERT:
+ rlay->rl_tls_client_ca_fd = imsg->fd;
break;
}
Index: usr.sbin/relayd/parse.y
===
RCS file: /home/kivikakk/cvsync/root/src/usr.sbin/relayd/parse.y,v
retrieving revision 1.230
retrieving revision 1.230.4.1
diff -u -p -u -r1.230 -r1.230.4.1
--- usr.sbin/relayd/parse.y 1 Nov 2018 00:18:44 - 1.230
+++ usr.sbin/relayd/parse.y 30 Nov 2018 21:10:06 - 1.230.4.1
@@ -175,7 +175,7 @@ typedef struct {
%token SNMP SOCKET SPLICE SSL STICKYADDR STYLE TABLE TAG TAGGED TCP TIMEOUT TLS
%token TO ROUTER RTLABEL TRANSPARENT TRAP UPDATES URL VIRTUAL WITH TTL RTABLE
%token MATCH PARAMS RANDOM LEASTSTATES SRCHASH KEY CERTIFICATE PASSWORD ECDHE
-%token EDH TICKETS CONNECTION CONNECTIONS ERRORS STATE CHANGES CHECKS
+%token EDH TICKETS CONNECTION CONNECTIONS ERRORS STATE CHANGES CHECKS CLIENT
%token STRING
%token NUMBER
%typehostname interface table value optstring
@@ -1246,6 +1246,16 @@ tlsflags : SESSION TICKETS { proto->tick
}
free($3);
}
+ | CLIENT CA STRING {
+ if (strlcpy(proto->tlsclientca, $3,
+ sizeof(proto->tlsclientca)) >=
+ sizeof(proto->tlsclientca)) {
+ yyerror("tlsclientca truncated");
+ free($3);
+ YYERROR;
+ }
+ free($3);
+ }
| NO flag { proto->tlsflags &= ~($2); }
| flag { proto->tlsflags |= $1; }
;
@@ -1687,6 +1697,7 @@ relay : RELAY STRING {
r->rl_tls_cert_fd = -1;
r->rl_tls_ca_fd = -1;
r->rl_tls_cacert_fd = -1;
+ r->rl_tls_client_ca_fd = -1;
TAILQ_INIT(>rl_tables);
if (last_relay_id == INT_MAX) {
yyerror("too many relays defined");
@@ -2241,6 +2252,7 @@ lookup(char *s)
{ "check",
Re: relayd and TLS client cert verification
Ashe Connor(a...@kivikakk.ee) on 2018.11.26 05:29:45 +:
> On Fri, Nov 23, 2018 at 04:41:21PM +0100, Sebastian Benoit wrote:
> > > It appears that relayd doesn't support TLS client certificate validation
> > > (in the manner that httpd does with "tls client ca [cafile]"). Would
> > > there be interest in a patch that added such support?
> >
> > yes, a patch to support client certificates would be welcome.
> >
> > /Benno
>
> Wonderful. Here's a first pass at such a patch.
>
> Ashe
Sorry to keep you waiting.
The parse and config bits look good.
And the use of tls* looks ok to me too, but I would like to have someone
more familiar with it to give an ok though.
As for style, please make lines not longer than 80 chars.
> Index: usr.sbin/relayd/config.c
> ===
> RCS file: /home/kivikakk/cvsync/root/src/usr.sbin/relayd/config.c,v
> retrieving revision 1.36
> retrieving revision 1.36.6.1
> diff -u -p -r1.36 -r1.36.6.1
> --- usr.sbin/relayd/config.c 29 Nov 2017 15:24:50 - 1.36
> +++ usr.sbin/relayd/config.c 24 Nov 2018 16:15:37 - 1.36.6.1
> @@ -900,6 +900,15 @@ config_setrelay(struct relayd *env, stru
> rlay->rl_conf.name);
> return (-1);
> }
> + if (rlay->rl_tls_client_ca_fd != -1 &&
> + config_setrelayfd(ps, id, n,
> + rlay->rl_conf.id, RELAY_FD_CLIENTCACERT,
> + rlay->rl_tls_client_ca_fd) == -1) {
> + log_warn("%s: fd passing failed for "
> + "`%s'", __func__,
> + rlay->rl_conf.name);
> + return (-1);
> + }
> /* Prevent fd exhaustion in the parent. */
> if (proc_flush_imsg(ps, id, n) == -1) {
> log_warn("%s: failed to flush "
> @@ -945,6 +954,10 @@ config_setrelay(struct relayd *env, stru
> close(rlay->rl_tls_ca_fd);
> rlay->rl_tls_ca_fd = -1;
> }
> + if (rlay->rl_tls_client_ca_fd != -1) {
> + close(rlay->rl_tls_client_ca_fd);
> + rlay->rl_tls_client_ca_fd = -1;
> + }
>
> return (0);
> }
> @@ -968,6 +981,7 @@ config_getrelay(struct relayd *env, stru
> rlay->rl_tls_cert_fd = -1;
> rlay->rl_tls_ca_fd = -1;
> rlay->rl_tls_cacert_fd = -1;
> + rlay->rl_tls_client_ca_fd = -1;
>
> if (ps->ps_what[privsep_process] & CONFIG_PROTOS) {
> if (rlay->rl_conf.proto == EMPTY_ID)
> @@ -1084,6 +1098,9 @@ config_getrelayfd(struct relayd *env, st
> break;
> case RELAY_FD_CAFILE:
> rlay->rl_tls_cacert_fd = imsg->fd;
> + break;
> + case RELAY_FD_CLIENTCACERT:
> + rlay->rl_tls_client_ca_fd = imsg->fd;
> break;
> }
>
> Index: usr.sbin/relayd/parse.y
> ===
> RCS file: /home/kivikakk/cvsync/root/src/usr.sbin/relayd/parse.y,v
> retrieving revision 1.230
> retrieving revision 1.230.2.2
> diff -u -p -r1.230 -r1.230.2.2
> --- usr.sbin/relayd/parse.y 1 Nov 2018 00:18:44 - 1.230
> +++ usr.sbin/relayd/parse.y 24 Nov 2018 16:15:37 - 1.230.2.2
> @@ -175,7 +175,7 @@ typedef struct {
> %token SNMP SOCKET SPLICE SSL STICKYADDR STYLE TABLE TAG TAGGED TCP
> TIMEOUT TLS
> %token TO ROUTER RTLABEL TRANSPARENT TRAP UPDATES URL VIRTUAL WITH TTL
> RTABLE
> %token MATCH PARAMS RANDOM LEASTSTATES SRCHASH KEY CERTIFICATE
> PASSWORD ECDHE
> -%token EDH TICKETS CONNECTION CONNECTIONS ERRORS STATE CHANGES CHECKS
> +%token EDH TICKETS CONNECTION CONNECTIONS ERRORS STATE CHANGES CHECKS
> CLIENT
> %token STRING
> %token NUMBER
> %type hostname interface table value optstring
> @@ -1246,6 +1246,16 @@ tlsflags : SESSION TICKETS { proto->tick
> }
> free($3);
> }
> + | CLIENT CA STRING {
> + if (strlcpy(proto->tlsclientca, $3,
> + sizeof(proto->tlsclientca)) >=
> + sizeof(proto->tlsclientca)) {
> + yyerror("tlsclientca truncated");
> + free($3);
> + YYERROR;
> + }
> + free($3);
> + }
> | NO flag { proto->tlsflags &= ~($2); }
> | flag { proto->tlsflags |= $1; }
> ;
> @@ -1687,6 +1697,7 @@ relay : RELAY STRING {
>
Re: relayd and TLS client cert verification
> On 6 Dec 2018, at 16:17, Ashe Connor wrote: > > It's been a week or so, so bumping. (Benno was kind enough to offer a > review but was time-poor recently.) Another friendly ping. I'd love to do some more work on relayd but only if it's desirable/worth someone's time to review. Cheers, Ashe
Re: relayd and TLS client cert verification
On Thu, Dec 06, 2018 at 12:46:33PM +, Rivo Nurges wrote: > I have planned to do it myself for quite long time but never got around > doing it. In my testing it works great. Excellent, I'm glad to hear! > I have patch on top of this which allows to pass remote certificate > and/or parts of it to backend hosts via http headers. That would be super useful -- I was planning on doing a similar feature next. (I'll probably do CRL support instead.) Ashe
Re: relayd and TLS client cert verification
Hi! I have planned to do it myself for quite long time but never got around doing it. In my testing it works great. I have patch on top of this which allows to pass remote certificate and/or parts of it to backend hosts via http headers. Rivo On Thu, 2018-12-06 at 05:17 +, Ashe Connor wrote: > It's been a week or so, so bumping. (Benno was kind enough to offer > a > review but was time-poor recently.) > > Here's a diff for the manpage too. > > Ashe > > > Index: usr.sbin/relayd/relayd.conf.5 > === > RCS file: > /home/kivikakk/cvsync/root/src/usr.sbin/relayd/relayd.conf.5,v > retrieving revision 1.187 > retrieving revision 1.187.6.1 > diff -u -p -r1.187 -r1.187.6.1 > --- usr.sbin/relayd/relayd.conf.5 6 Aug 2018 18:26:29 - 1.187 > +++ usr.sbin/relayd/relayd.conf.5 30 Nov 2018 21:10:06 - > 1.187.6.1 > @@ -939,6 +939,10 @@ will be used (strong crypto cipher suite > See the CIPHERS section of > .Xr openssl 1 > for information about SSL/TLS cipher suites and preference lists. > +.It Ic client ca Ar path > +Require TLS client certificates whose authenticity can be verified > +against the CA certificate(s) in the specified file in order to > +proceed beyond the TLS handshake. > .It Ic client-renegotiation > Allow client-initiated renegotiation. > To mitigate a potential DoS risk, >
Re: relayd and TLS client cert verification
It's been a week or so, so bumping. (Benno was kind enough to offer a review but was time-poor recently.) Here's a diff for the manpage too. Ashe Index: usr.sbin/relayd/relayd.conf.5 === RCS file: /home/kivikakk/cvsync/root/src/usr.sbin/relayd/relayd.conf.5,v retrieving revision 1.187 retrieving revision 1.187.6.1 diff -u -p -r1.187 -r1.187.6.1 --- usr.sbin/relayd/relayd.conf.5 6 Aug 2018 18:26:29 - 1.187 +++ usr.sbin/relayd/relayd.conf.5 30 Nov 2018 21:10:06 - 1.187.6.1 @@ -939,6 +939,10 @@ will be used (strong crypto cipher suite See the CIPHERS section of .Xr openssl 1 for information about SSL/TLS cipher suites and preference lists. +.It Ic client ca Ar path +Require TLS client certificates whose authenticity can be verified +against the CA certificate(s) in the specified file in order to +proceed beyond the TLS handshake. .It Ic client-renegotiation Allow client-initiated renegotiation. To mitigate a potential DoS risk,
Re: relayd and TLS client cert verification
On Mon, Nov 26, 2018 at 04:29:40PM +1100, Ashe Connor wrote: > Wonderful. Here's a first pass at such a patch. I should add, in addition to the regression test passing, I'm currently test-running this patch on a live server where client certificates are mandatory, and it's working well so far.
Re: relayd and TLS client cert verification
On Fri, Nov 23, 2018 at 04:41:21PM +0100, Sebastian Benoit wrote:
> > It appears that relayd doesn't support TLS client certificate validation
> > (in the manner that httpd does with "tls client ca [cafile]"). Would
> > there be interest in a patch that added such support?
>
> yes, a patch to support client certificates would be welcome.
>
> /Benno
Wonderful. Here's a first pass at such a patch.
Ashe
--
Index: usr.sbin/relayd/config.c
===
RCS file: /home/kivikakk/cvsync/root/src/usr.sbin/relayd/config.c,v
retrieving revision 1.36
retrieving revision 1.36.6.1
diff -u -p -r1.36 -r1.36.6.1
--- usr.sbin/relayd/config.c29 Nov 2017 15:24:50 - 1.36
+++ usr.sbin/relayd/config.c24 Nov 2018 16:15:37 - 1.36.6.1
@@ -900,6 +900,15 @@ config_setrelay(struct relayd *env, stru
rlay->rl_conf.name);
return (-1);
}
+ if (rlay->rl_tls_client_ca_fd != -1 &&
+ config_setrelayfd(ps, id, n,
+ rlay->rl_conf.id, RELAY_FD_CLIENTCACERT,
+ rlay->rl_tls_client_ca_fd) == -1) {
+ log_warn("%s: fd passing failed for "
+ "`%s'", __func__,
+ rlay->rl_conf.name);
+ return (-1);
+ }
/* Prevent fd exhaustion in the parent. */
if (proc_flush_imsg(ps, id, n) == -1) {
log_warn("%s: failed to flush "
@@ -945,6 +954,10 @@ config_setrelay(struct relayd *env, stru
close(rlay->rl_tls_ca_fd);
rlay->rl_tls_ca_fd = -1;
}
+ if (rlay->rl_tls_client_ca_fd != -1) {
+ close(rlay->rl_tls_client_ca_fd);
+ rlay->rl_tls_client_ca_fd = -1;
+ }
return (0);
}
@@ -968,6 +981,7 @@ config_getrelay(struct relayd *env, stru
rlay->rl_tls_cert_fd = -1;
rlay->rl_tls_ca_fd = -1;
rlay->rl_tls_cacert_fd = -1;
+ rlay->rl_tls_client_ca_fd = -1;
if (ps->ps_what[privsep_process] & CONFIG_PROTOS) {
if (rlay->rl_conf.proto == EMPTY_ID)
@@ -1084,6 +1098,9 @@ config_getrelayfd(struct relayd *env, st
break;
case RELAY_FD_CAFILE:
rlay->rl_tls_cacert_fd = imsg->fd;
+ break;
+ case RELAY_FD_CLIENTCACERT:
+ rlay->rl_tls_client_ca_fd = imsg->fd;
break;
}
Index: usr.sbin/relayd/parse.y
===
RCS file: /home/kivikakk/cvsync/root/src/usr.sbin/relayd/parse.y,v
retrieving revision 1.230
retrieving revision 1.230.2.2
diff -u -p -r1.230 -r1.230.2.2
--- usr.sbin/relayd/parse.y 1 Nov 2018 00:18:44 - 1.230
+++ usr.sbin/relayd/parse.y 24 Nov 2018 16:15:37 - 1.230.2.2
@@ -175,7 +175,7 @@ typedef struct {
%token SNMP SOCKET SPLICE SSL STICKYADDR STYLE TABLE TAG TAGGED TCP TIMEOUT TLS
%token TO ROUTER RTLABEL TRANSPARENT TRAP UPDATES URL VIRTUAL WITH TTL RTABLE
%token MATCH PARAMS RANDOM LEASTSTATES SRCHASH KEY CERTIFICATE PASSWORD ECDHE
-%token EDH TICKETS CONNECTION CONNECTIONS ERRORS STATE CHANGES CHECKS
+%token EDH TICKETS CONNECTION CONNECTIONS ERRORS STATE CHANGES CHECKS CLIENT
%token STRING
%token NUMBER
%typehostname interface table value optstring
@@ -1246,6 +1246,16 @@ tlsflags : SESSION TICKETS { proto->tick
}
free($3);
}
+ | CLIENT CA STRING {
+ if (strlcpy(proto->tlsclientca, $3,
+ sizeof(proto->tlsclientca)) >=
+ sizeof(proto->tlsclientca)) {
+ yyerror("tlsclientca truncated");
+ free($3);
+ YYERROR;
+ }
+ free($3);
+ }
| NO flag { proto->tlsflags &= ~($2); }
| flag { proto->tlsflags |= $1; }
;
@@ -1687,6 +1697,7 @@ relay : RELAY STRING {
r->rl_tls_cert_fd = -1;
r->rl_tls_ca_fd = -1;
r->rl_tls_cacert_fd = -1;
+ r->rl_tls_client_ca_fd = -1;
TAILQ_INIT(>rl_tables);
if (last_relay_id == INT_MAX) {
yyerror("too many relays defined");
@@ -2241,6 +2252,7 @@ lookup(char *s)
{ "check", CHECK },
Re: relayd and TLS client cert verification
Ashe Connor(a...@kivikakk.ee) on 2018.11.23 05:55:55 +: > Hi all, > > It appears that relayd doesn't support TLS client certificate validation > (in the manner that httpd does with "tls client ca [cafile]"). Would > there be interest in a patch that added such support? yes, a patch to support client certificates would be welcome. /Benno > > Apologies if I've missed something obvious here. > > Best, > > Ashe >
relayd and TLS client cert verification
Hi all, It appears that relayd doesn't support TLS client certificate validation (in the manner that httpd does with "tls client ca [cafile]"). Would there be interest in a patch that added such support? Apologies if I've missed something obvious here. Best, Ashe
